Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Apple Fixes 97 Vulnerabilities Across macOS, iTunes, Safari, iCloud

Apple released a massive update for macOS Sierra on Tuesday to address 72 vulnerabilities in the operating system.

Apple released a massive update for macOS Sierra on Tuesday to address 72 vulnerabilities in the operating system. The update, which was flanked by updates for iCloud, iTunes, and Safari, comes a day after it fixed a dozen issues in iOS.

Eleven of the vulnerabilities can lead to arbitrary code execution, assuming the attacker could get a victim to open a malicious crafted file. Eight of the bugs could lead to a denial of service condition. Information around one of the nastier bugs, dug up by Ian Beer of Google’s project Zero, in macOS’ kernel, is scant. But according to Apple’s advisory, if exploited, it could have led to code execution in the kernel, or system termination. Beer found nine of the bugs fixed by Apple on Tuesday, four of them in the kernel.

The update includes fixes for Apple frameworks such as CoreGraphics and IO, volume management systems like CoreStorage. It also updates versions of PHP (5.6.26) and the file transfer library, cURL, (7.51.0).

An audit (.PDF) carried out by the German penetration firm Cure53, sponsored by Mozilla’s Secure Open Source program, late last month identified a dozen vulnerabilities in the cURL libary. Apple fixed those bugs and warned that an attacker in a privileged network position could have exploited them to leak sensitive user information.

Other vulnerabilities that could have allowed an attacker to modify downloaded mobile assets, or in one instance, gain root privileges, were also fixed with the macOS update.

Included in the macOS update is the latest version of Safari, 10.0.2. The update fixes 24 issues in the browser, most which affect WebKit, Safari’s web browser engine. Those bugs could have led to code execution, the disclosure of process memory, the disclosure of user information, and the unexpected termination of the browser, Apple warns. A bug in Safari Reader, which lets users read articles in one page, could have additionally lead to universal cross-site scripting.

Most of the fixes from Safari – save for the Safari Reader issue – also found their way into an update for iTunes (12.5.4) Apple pushed to Windows users yesterday. The iTunes Store has used WebKit as its rendering engine since 2009 when Apple released iTunes 9, meaning it was affected by the same vulnerabilities.

The same WebKit issues were also incorporated into an iCloud for Windows update (6.1) Apple released Tuesday as well. One Windows-specific issue, a problem with the iCloud desktop, was fixed with the update. The client failed to clear sensitive information in memory, something that could have permitted a local user to leak sensitive information.

It’s the second time Apple has patched the operating system since it was released in September; it fixed a handful of bugs, including six that could have led to code execution, in October.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.